<%
=begin
apps: rabbitmq
platforms: kubernetes, tanzu-application-catalog
id: enable_tls
title: Enable TLS
category: administration
weight: 20
highlight: 20
=end %>

To enable TLS support, first generate the certificates as described in the [RabbitMQ documentation for SSL certificate generation](https://www.rabbitmq.com/ssl.html#automated-certificate-generation).

Once the certificates are generated, you have two alternatives:

* Create a secret with the certificates and associate the secret when deploying the chart
* Include the certificates in the *values.yaml* file when deploying the chart

To create and use a secret with the certificates, follow these steps:

* Execute the following command to create the secret, replacing the example paths shown with the correct paths to your certificates:

        $ kubectl create secret generic rabbitmq-certificates --from-file=./ca.crt --from-file=./tls.crt --from-file=./tls.key

* Deploy the RabbitMQ chart setting the parameters below:

        tls.enabled=true
        tls.existingSecret=rabbitmq-certificates

Alternatively, include the certificates in the *values.yaml* file when deploying the chart, as shown in the example YAML configuration below:

    auth:
      enabled: true
      caCertificate: |-
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      serverCertificate: |-
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      serverKey: |-
        -----BEGIN RSA PRIVATE KEY-----
        ....
        -----END RSA PRIVATE KEY-----

Set the *auth.tls.failIfNoPeerCert* parameter to *false* to allow a TLS connection if the client fails to provide a certificate.

Set the *auth.tls.sslOptionsVerify* to *verify_peer* to force a node to perform peer verification. When set to *verify_none*, peer verification will be disabled and certificate exchange won't be performed.

If using Cert-manager to provision Let's Encrypt certificates, the *tls.crt* key in the generated TLS secret will contain the full certificate chain. Depending on the version of Cert-manager in use, this could either be an empty *ca.crt* key, or none at all. In order to instruct RabbitMQ to look for the CA certificate within the primary certificate, the *auth.tls.existingSecretFullChain* parameter can be set to *true*.
